Merge branch 'master' into 22604-manual-actions

* master: (28 commits)
  Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' ...
  Merge branch 'html-safe-diff-line-content' into 'security'
  Merge branch 'rs-filter-authentication_token' into 'security'
  Merge branch 'destroy-session' into 'security'
  Updating reference to database password
  Update CHANGELOG.md for 8.13.9
  Update CHANGELOG.md for 8.14.4
  Don't check if stage name doesn't exist
  Various small emoji positioning adjustments
  Add nested groups support on data level
  Update factory_girl_rails to 4.7.0
  Correct previous stable branch used in 8.14 to 8.15 update guide
  Enable display of admonition icons in Asciidoc.
  add link_to_if helper on target_branch link on Merge Request ...
  Fade out should be white instead of gray
  Do nothing if file is undefined
  fix: 24982- Remove'Signed in successfully' message After this ...
  adds impersonator variable and makes sudo usage overall more clear
  Reenables /user API request to return private-token if user is ...
  Fixed timeago re-rendering every element
  ...

.eslintrc

@@ -8,7 +8,8 @@
   "globals": {
     "_": false,
     "gl": false,
-    "gon": false
+    "gon": false,
+    "localStorage": false
   },
   "plugins": [
     "filenames"

CHANGELOG.md

@@ -2,6 +2,19 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 8.14.4 (2016-12-08)
+
+- Fix diff view permalink highlighting. !7090
+- Fix pipeline author for Slack and use pipeline id for pipeline link. !7506
+- Fix compatibility with Internet Explorer 11 for merge requests. !7525 (Steffen Rauh)
+- Reenables /user API request to return private-token if user is admin and request is made with sudo. !7615
+- Fix Cicking on tabs on pipeline page should set URL. !7709
+- Authorize users into imported GitLab project.
+- Destroy a user's session when they delete their own account.
+- Don't accidentally mark unsafe diff lines as HTML safe.
+- Replace MR access checks with use of MergeRequestsFinder.
+- Remove visible content caching.
+
 ## 8.14.3 (2016-12-02)
 
 - Pass commit data to ProcessCommitWorker to reduce Git overhead. !7744
@@ -251,6 +264,11 @@ entry.
 - Fix "Without projects" filter. !6611 (Ben Bodenmiller)
 - Fix 404 when visit /projects page
 
+## 8.13.9 (2016-12-08)
+
+- Reenables /user API request to return private-token if user is admin and request is made with sudo. !7615
+- Replace MR access checks with use of MergeRequestsFinder.
+
 ## 8.13.8 (2016-12-02)
 
 - Pass tag SHA to post-receive hook when tag is created via UI. !7700

Gemfile

@@ -271,7 +271,7 @@ group :development, :test do
   gem 'fuubar', '~> 2.0.0'
 
   gem 'database_cleaner',   '~> 1.5.0'
-  gem 'factory_girl_rails', '~> 4.6.0'
+  gem 'factory_girl_rails', '~> 4.7.0'
   gem 'rspec-rails',        '~> 3.5.0'
   gem 'rspec-retry',        '~> 0.4.5'
   gem 'spinach-rails',      '~> 0.2.1'

Gemfile.lock

@@ -177,10 +177,10 @@ GEM
     excon (0.52.0)
     execjs (2.6.0)
     expression_parser (0.9.0)
-    factory_girl (4.5.0)
+    factory_girl (4.7.0)
       activesupport (>= 3.0.0)
-    factory_girl_rails (4.6.0)
-      factory_girl (~> 4.5.0)
+    factory_girl_rails (4.7.0)
+      factory_girl (~> 4.7.0)
       railties (>= 3.0.0)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
@@ -819,7 +819,7 @@ DEPENDENCIES
   dropzonejs-rails (~> 0.7.1)
   email_reply_parser (~> 0.5.8)
   email_spec (~> 1.6.0)
-  factory_girl_rails (~> 4.6.0)
+  factory_girl_rails (~> 4.7.0)
   ffaker (~> 2.0.0)
   flay (~> 2.6.1)
   fog-aws (~> 0.9)

app/assets/javascripts/blob/template_selector.js.es6

@@ -70,6 +70,8 @@
       // e.g.
       // Api.gitignoreText item.name, @requestFileSuccess.bind(@)
       requestFileSuccess(file, { skipFocus } = {}) {
+        if (!file) return;
+
         const oldValue = this.editor.getValue();
         let newValue = file.content;
 

app/assets/javascripts/dispatcher.js.es6

@@ -24,6 +24,7 @@
       switch (page) {
         case 'sessions:new':
           new UsernameValidator();
+          new ActiveTabMemoizer();
           break;
         case 'projects:boards:show':
         case 'projects:boards:index':

app/assets/javascripts/lib/utils/datetime_utility.js

@@ -29,7 +29,7 @@
         setTimeago = true;
       }
 
-      $timeagoEls.each(function() {
+      $timeagoEls.filter(':not([data-timeago-rendered])').each(function() {
         var $el = $(this);
         $el.attr('title', gl.utils.formatDate($el.attr('datetime')));
 
@@ -39,6 +39,8 @@
             template: '<div class="tooltip local-timeago" role="tooltip"><div class="tooltip-arrow"></div><div class="tooltip-inner"></div></div>'
           });
         }
+
+        $el.attr('data-timeago-rendered', true);
         gl.utils.renderTimeago($el);
       });
     };

app/assets/javascripts/signin_tabs_memoizer.js.es6

+/* eslint no-param-reassign: ["error", { "props": false }]*/
+/* eslint no-new: "off" */
+((global) => {
+  /**
+   * Memorize the last selected tab after reloading a page.
+   * Does that setting the current selected tab in the localStorage
+   */
+  class ActiveTabMemoizer {
+    constructor({ currentTabKey = 'current_signin_tab', tabSelector = 'ul.nav-tabs' } = {}) {
+      this.currentTabKey = currentTabKey;
+      this.tabSelector = tabSelector;
+      this.bootstrap();
+    }
+
+    bootstrap() {
+      const tabs = document.querySelectorAll(this.tabSelector);
+      if (tabs.length > 0) {
+        tabs[0].addEventListener('click', (e) => {
+          if (e.target && e.target.nodeName === 'A') {
+            const anchorName = e.target.getAttribute('href');
+            this.saveData(anchorName);
+          }
+        });
+      }
+
+      this.showTab();
+    }
+
+    showTab() {
+      const anchorName = this.readData();
+      if (anchorName) {
+        const tab = document.querySelector(`${this.tabSelector} a[href="${anchorName}"]`);
+        if (tab) {
+          tab.click();
+        }
+      }
+    }
+
+    saveData(val) {
+      localStorage.setItem(this.currentTabKey, val);
+    }
+
+    readData() {
+      return localStorage.getItem(this.currentTabKey);
+    }
+  }
+
+  global.ActiveTabMemoizer = ActiveTabMemoizer;
+})(window);

app/assets/stylesheets/framework.scss

@@ -6,6 +6,7 @@
 
 @import "framework/animations.scss";
 @import "framework/avatar.scss";
+@import "framework/asciidoctor.scss";
 @import "framework/blocks.scss";
 @import "framework/buttons.scss";
 @import "framework/calendar.scss";

app/assets/stylesheets/framework/asciidoctor.scss

+.admonitionblock td.icon {
+  width: 1%;
+
+  [class^="fa icon-"] {
+    @extend .fa-2x;
+  }
+
+  .icon-note {
+    @extend .fa-thumb-tack;
+  }
+
+  .icon-tip {
+    @extend .fa-lightbulb-o;
+  }
+
+  .icon-warning {
+    @extend .fa-exclamation-triangle;
+  }
+
+  .icon-caution {
+    @extend .fa-fire;
+  }
+
+  .icon-important {
+    @extend .fa-exclamation-circle;
+  }
+}

app/assets/stylesheets/framework/awards.scss

 .awards {
   .emoji-icon {
-    width: 19px;
-    height: 19px;
+    width: 20px;
+    height: 20px;
   }
 }
 
@@ -136,5 +136,6 @@
 
   .award-control-icon {
     color: $award-emoji-new-btn-icon-color;
+    margin-top: 1px;
   }
 }

app/assets/stylesheets/framework/common.scss

@@ -255,6 +255,7 @@ img.emoji {
   height: 20px;
   vertical-align: top;
   width: 20px;
+  margin-top: 1px;
 }
 
 .chart {

app/assets/stylesheets/pages/notes.scss

@@ -124,7 +124,7 @@ ul.notes {
             position: absolute;
             left: 0;
             bottom: 0;
-            background: linear-gradient(rgba($gray-light, 0.1) -100px, $white-light 100%);
+            background: linear-gradient(rgba($white-light, 0.1) -100px, $white-light 100%);
           }
 
           &.hide-shade {
@@ -413,7 +413,6 @@ ul.notes {
   .fa {
     color: $notes-action-color;
     position: relative;
-    top: 1px;
     font-size: 17px;
   }
 

app/controllers/admin/groups_controller.rb

@@ -56,7 +56,7 @@ class Admin::GroupsController < Admin::ApplicationController
   private
 
   def group
-    @group ||= Group.find_by(path: params[:id])
+    @group ||= Group.find_by_full_path(params[:id])
   end
 
   def group_params

app/controllers/concerns/creates_commit.rb

@@ -81,10 +81,8 @@ module CreatesCommit
   def merge_request_exists?
     return @merge_request if defined?(@merge_request)
 
-    @merge_request = @mr_target_project.merge_requests.opened.find_by(
-      source_branch: @mr_source_branch,
-      target_branch: @mr_target_branch
-    )
+    @merge_request = MergeRequestsFinder.new(current_user, project_id: @mr_target_project.id).execute.opened.
+      find_by(source_branch: @mr_source_branch, target_branch: @mr_target_branch)
   end
 
   def different_project?

app/controllers/groups/application_controller.rb

@@ -9,7 +9,7 @@ class Groups::ApplicationController < ApplicationController
   def group
     unless @group
       id = params[:group_id] || params[:id]
-      @group = Group.find_by(path: id)
+      @group = Group.find_by_full_path(id)
 
       unless @group && can?(current_user, :read_group, @group)
         @group = nil

app/controllers/projects/commit_controller.rb

@@ -65,7 +65,7 @@ class Projects::CommitController < Projects::ApplicationController
 
     return render_404 if @target_branch.blank?
 
-    create_commit(Commits::RevertService, success_notice: "The #{@commit.change_type_title} has been successfully reverted.",
+    create_commit(Commits::RevertService, success_notice: "The #{@commit.change_type_title(current_user)} has been successfully reverted.",
                                           success_path: successful_change_path, failure_path: failed_change_path)
   end
 
@@ -74,26 +74,24 @@ class Projects::CommitController < Projects::ApplicationController
 
     return render_404 if @target_branch.blank?
 
-    create_commit(Commits::CherryPickService, success_notice: "The #{@commit.change_type_title} has been successfully cherry-picked.",
+    create_commit(Commits::CherryPickService, success_notice: "The #{@commit.change_type_title(current_user)} has been successfully cherry-picked.",
                                               success_path: successful_change_path, failure_path: failed_change_path)
   end
 
   private
 
   def successful_change_path
-    return referenced_merge_request_url if @commit.merged_merge_request
-
-    namespace_project_commits_url(@project.namespace, @project, @target_branch)
+    referenced_merge_request_url || namespace_project_commits_url(@project.namespace, @project, @target_branch)
   end
 
   def failed_change_path
-    return referenced_merge_request_url if @commit.merged_merge_request
-
-    namespace_project_commit_url(@project.namespace, @project, params[:id])
+    referenced_merge_request_url || namespace_project_commit_url(@project.namespace, @project, params[:id])
   end
 
   def referenced_merge_request_url
-    namespace_project_merge_request_url(@project.namespace, @project, @commit.merged_merge_request)
+    if merge_request = @commit.merged_merge_request(current_user)
+      namespace_project_merge_request_url(@project.namespace, @project, merge_request)
+    end
   end
 
   def commit

app/controllers/projects/commits_controller.rb

@@ -21,7 +21,7 @@ class Projects::CommitsController < Projects::ApplicationController
     @note_counts = project.notes.where(commit_id: @commits.map(&:id)).
       group(:commit_id).count
 
-    @merge_request = @project.merge_requests.opened.
+    @merge_request = MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.
       find_by(source_project: @project, source_branch: @ref, target_branch: @repository.root_ref)
 
     respond_to do |format|

app/controllers/projects/compare_controller.rb

@@ -53,7 +53,7 @@ class Projects::CompareController < Projects::ApplicationController
   end
 
   def merge_request
-    @merge_request ||= @project.merge_requests.opened.
+    @merge_request ||= MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.
       find_by(source_project: @project, source_branch: @head_ref, target_branch: @start_ref)
   end
 end

app/controllers/projects/discussions_controller.rb

@@ -24,7 +24,7 @@ class Projects::DiscussionsController < Projects::ApplicationController
   private
 
   def merge_request
-    @merge_request ||= @project.merge_requests.find_by!(iid: params[:merge_request_id])
+    @merge_request ||= MergeRequestsFinder.new(current_user, project_id: @project.id).find_by!(iid: params[:merge_request_id])
   end
 
   def discussion

app/controllers/projects/project_members_controller.rb

@@ -10,14 +10,38 @@ class Projects::ProjectMembersController < Projects::ApplicationController
     @project_members = @project.project_members
     @project_members = @project_members.non_invite unless can?(current_user, :admin_project, @project)
 
+    group = @project.group
+
+    if group
+      # We need `.where.not(user_id: nil)` here otherwise when a group has an
+      # invitee, it would make the following query return 0 rows since a NULL
+      # user_id would be present in the subquery
+      # See http://stackoverflow.com/questions/129077/not-in-clause-and-null-values
+      # FIXME: This whole logic should be moved to a finder!
+      non_null_user_ids = @project_members.where.not(user_id: nil).select(:user_id)
+      group_members = group.group_members.where.not(user_id: non_null_user_ids)
+      group_members = group_members.non_invite unless can?(current_user, :admin_group, @group)
+    end
+
     if params[:search].present?
-      users = @project.users.search(params[:search]).to_a
-      @project_members = @project_members.where(user_id: users)
+      user_ids = @project.users.search(params[:search]).select(:id)
+      @project_members = @project_members.where(user_id: user_ids)
+
+      if group_members
+        user_ids = group.users.search(params[:search]).select(:id)
+        group_members = group_members.where(user_id: user_ids)
+      end
 
       @group_links = @project.project_group_links.where(group_id: @project.invited_groups.search(params[:search]).select(:id))
     end
 
-    @project_members = @project_members.order(access_level: :desc).page(params[:page])
+    member_ids = @project_members.pluck(:id)
+
+    if group_members
+      member_ids += group_members.pluck(:id)
+    end
+
+    @project_members = Member.where(id: member_ids).order(access_level: :desc).page(params[:page])
 
     @requesters = AccessRequestsFinder.new(@project).execute(current_user)
 

app/controllers/projects/todos_controller.rb

@@ -18,7 +18,7 @@ class Projects::TodosController < Projects::ApplicationController
       when "issue"
         IssuesFinder.new(current_user, project_id: @project.id).find(params[:issuable_id])
       when "merge_request"
-        @project.merge_requests.find(params[:issuable_id])
+        MergeRequestsFinder.new(current_user, project_id: @project.id).find(params[:issuable_id])
       end
     end
   end

app/controllers/registrations_controller.rb

@@ -27,7 +27,10 @@ class RegistrationsController < Devise::RegistrationsController
     DeleteUserService.new(current_user).execute(current_user)
 
     respond_to do |format|
-      format.html { redirect_to new_user_session_path, notice: "Account successfully removed." }
+      format.html do
+        session.try(:destroy)
+        redirect_to new_user_session_path, notice: "Account successfully removed."
+      end 
     end
   end
 

app/controllers/sessions_controller.rb

@@ -31,6 +31,8 @@ class SessionsController < Devise::SessionsController
         resource.update_attributes(reset_password_token: nil,
                                    reset_password_sent_at: nil)
       end
+      # hide the signed-in notification
+      flash[:notice] = nil
       log_audit_event(current_user, with: authentication_method)
     end
   end

app/finders/issuable_finder.rb

@@ -77,6 +77,10 @@ class IssuableFinder
     counts
   end
 
+  def find_by!(*params)
+    execute.find_by!(*params)
+  end
+
   def group
     return @group if defined?(@group)
 

app/finders/notes_finder.rb

@@ -14,7 +14,7 @@ class NotesFinder
       when "issue"
         IssuesFinder.new(current_user, project_id: project.id).find(target_id).notes.inc_author
       when "merge_request"
-        project.merge_requests.find(target_id).mr_and_commit_notes.inc_author
+        MergeRequestsFinder.new(current_user, project_id: project.id).find(target_id).mr_and_commit_notes.inc_author
       when "snippet", "project_snippet"
         project.snippets.find(target_id).notes
       else

app/helpers/commits_helper.rb

@@ -130,7 +130,7 @@ module CommitsHelper
   def revert_commit_link(commit, continue_to_path, btn_class: nil, has_tooltip: true)
     return unless current_user
 
-    tooltip = "Revert this #{commit.change_type_title} in a new merge request" if has_tooltip
+    tooltip = "Revert this #{commit.change_type_title(current_user)} in a new merge request" if has_tooltip
 
     if can_collaborate_with_project?
       btn_class = "btn btn-warning btn-#{btn_class}" unless btn_class.nil?
@@ -154,7 +154,7 @@ module CommitsHelper
   def cherry_pick_commit_link(commit, continue_to_path, btn_class: nil, has_tooltip: true)
     return unless current_user
 
-    tooltip = "Cherry-pick this #{commit.change_type_title} in a new merge request"
+    tooltip = "Cherry-pick this #{commit.change_type_title(current_user)} in a new merge request"
 
     if can_collaborate_with_project?
       btn_class = "btn btn-default btn-#{btn_class}" unless btn_class.nil?

app/helpers/diff_helper.rb

@@ -55,7 +55,9 @@ module DiffHelper
     if line.blank?
       " ".html_safe
     else
-      line.sub(/^[\-+ ]/, '').html_safe
+      # We can't use `sub` because the HTML-safeness of `line` will not survive.
+      line[0] = '' if line.start_with?('+', '-', ' ')
+      line
     end
   end
 

app/helpers/groups_helper.rb

@@ -5,7 +5,7 @@ module GroupsHelper
 
   def group_icon(group)
     if group.is_a?(String)
-      group = Group.find_by(path: group)
+      group = Group.find_by_full_path(group)
     end
 
     group.try(:avatar_url) || image_path('no_group_avatar.png')

app/models/commit.rb

@@ -245,44 +245,47 @@ class Commit
     project.repository.next_branch("cherry-pick-#{short_id}", mild: true)
   end
 
-  def revert_description
-    if merged_merge_request
-      "This reverts merge request #{merged_merge_request.to_reference}"
+  def revert_description(user)
+    if merged_merge_request?(user)
+      "This reverts merge request #{merged_merge_request(user).to_reference}"
     else
       "This reverts commit #{sha}"
     end
   end
 
-  def revert_message
-    %Q{Revert "#{title.strip}"\n\n#{revert_description}}
+  def revert_message(user)
+    %Q{Revert "#{title.strip}"\n\n#{revert_description(user)}}
   end
 
-  def reverts_commit?(commit)
-    description? && description.include?(commit.revert_description)
+  def reverts_commit?(commit, user)
+    description? && description.include?(commit.revert_description(user))
   end
 
   def merge_commit?
     parents.size > 1
   end
 
-  def merged_merge_request
-    return @merged_merge_request if defined?(@merged_merge_request)
-
-    @merged_merge_request = project.merge_requests.find_by(merge_commit_sha: id) if merge_commit?
+  def merged_merge_request(current_user)
+    # Memoize with per-user access check
+    @merged_merge_request_hash ||= Hash.new do |hash, user|
+      hash[user] = merged_merge_request_no_cache(user)
+    end
+    
+    @merged_merge_request_hash[current_user]
   end
 
-  def has_been_reverted?(current_user = nil, noteable = self)
+  def has_been_reverted?(current_user, noteable = self)
     ext = all_references(current_user)
 
     noteable.notes_with_associations.system.each do |note|
       note.all_references(current_user, extractor: ext)
     end
 
-    ext.commits.any? { |commit_ref| commit_ref.reverts_commit?(self) }
+    ext.commits.any? { |commit_ref| commit_ref.reverts_commit?(self, current_user) }
   end
 
-  def change_type_title
-    merged_merge_request ? 'merge request' : 'commit'
+  def change_type_title(user)
+    merged_merge_request?(user) ? 'merge request' : 'commit'
   end
 
   # Get the URI type of the given path
@@ -350,4 +353,12 @@ class Commit
 
     changes
   end
+
+  def merged_merge_request?(user)
+    !!merged_merge_request(user)
+  end
+
+  def merged_merge_request_no_cache(user)
+    MergeRequestsFinder.new(user, project_id: project.id).find_by(merge_commit_sha: id) if merge_commit?
+  end
 end

app/models/concerns/milestoneish.rb

 module Milestoneish
-  def closed_items_count(user = nil)
+  def closed_items_count(user)
     issues_visible_to_user(user).closed.size + merge_requests.closed_and_merged.size
   end
 
-  def total_items_count(user = nil)
+  def total_items_count(user)
     issues_visible_to_user(user).size + merge_requests.size
   end
 
-  def complete?(user = nil)
+  def complete?(user)
     total_items_count(user) > 0 && total_items_count(user) == closed_items_count(user)
   end
 
-  def percent_complete(user = nil)
+  def percent_complete(user)
     ((closed_items_count(user) * 100) / total_items_count(user)).abs
   rescue ZeroDivisionError
     0
@@ -29,7 +29,7 @@ module Milestoneish
     (Date.today - start_date).to_i
   end
 
-  def issues_visible_to_user(user = nil)
+  def issues_visible_to_user(user)
     issues.visible_to_user(user)
   end
 

app/models/concerns/routable.rb

+# Store object full path in separate table for easy lookup and uniq validation
+# Object must have path db field and respond to full_path and full_path_changed? methods.
+module Routable
+  extend ActiveSupport::Concern
+
+  included do
+    has_one :route, as: :source, autosave: true, dependent: :destroy
+
+    validates_associated :route
+
+    before_validation :update_route_path, if: :full_path_changed?
+  end
+
+  class_methods do
+    # Finds a single object by full path match in routes table.
+    #
+    # Usage:
+    #
+    #     Klass.find_by_full_path('gitlab-org/gitlab-ce')
+    #
+    # Returns a single object, or nil.
+    def find_by_full_path(path)
+      # On MySQL we want to ensure the ORDER BY uses a case-sensitive match so
+      # any literal matches come first, for this we have to use "BINARY".
+      # Without this there's still no guarantee in what order MySQL will return
+      # rows.
+      binary = Gitlab::Database.mysql? ? 'BINARY' : ''
+
+      order_sql = "(CASE WHEN #{binary} routes.path = #{connection.quote(path)} THEN 0 ELSE 1 END)"
+
+      where_paths_in([path]).reorder(order_sql).take
+    end
+
+    # Builds a relation to find multiple objects by their full paths.
+    #
+    # Usage:
+    #
+    #     Klass.where_paths_in(%w{gitlab-org/gitlab-ce gitlab-org/gitlab-ee})
+    #
+    # Returns an ActiveRecord::Relation.
+    def where_paths_in(paths)
+      wheres = []
+      cast_lower = Gitlab::Database.postgresql?
+
+      paths.each do |path|
+        path = connection.quote(path)
+        where = "(routes.path = #{path})"
+
+        if cast_lower
+          where = "(#{where} OR (LOWER(routes.path) = LOWER(#{path})))"
+        end
+
+        wheres << where
+      end
+
+      if wheres.empty?
+        none
+      else
+        joins(:route).where(wheres.join(' OR '))
+      end
+    end
+  end
+
+  private
+
+  def update_route_path
+    route || build_route(source: self)
+    route.path = full_path
+  end
+end

app/models/merge_request.rb

@@ -805,7 +805,7 @@ class MergeRequest < ActiveRecord::Base
     @merge_commit ||= project.commit(merge_commit_sha) if merge_commit_sha
   end
 
-  def can_be_reverted?(current_user = nil)
+  def can_be_reverted?(current_user)
     merge_commit && !merge_commit.has_been_reverted?(current_user, self)
   end
 

app/models/namespace.rb

@@ -4,12 +4,16 @@ class Namespace < ActiveRecord::Base
   include CacheMarkdownField
   include Sortable
   include Gitlab::ShellAdapter
+  include Routable
 
   cache_markdown_field :description, pipeline: :description
 
   has_many :projects, dependent: :destroy
   belongs_to :owner, class_name: "User"
 
+  belongs_to :parent, class_name: "Namespace"
+  has_many :children, class_name: "Namespace", foreign_key: :parent_id
+
   validates :owner, presence: true, unless: ->(n) { n.type == "Group" }
   validates :name,
     presence: true,
@@ -86,7 +90,7 @@ class Namespace < ActiveRecord::Base
   end
 
   def to_param
-    path
+    full_path
   end
 
   def human_name
@@ -150,6 +154,14 @@ class Namespace < ActiveRecord::Base
     Gitlab.config.lfs.enabled
   end
 
+  def full_path
+    if parent
+      parent.full_path + '/' + path
+    else
+      path
+    end
+  end
+
   private
 
   def repository_storage_paths
@@ -185,4 +197,8 @@ class Namespace < ActiveRecord::Base
       where(projects: { namespace_id: id }).
       find_each(&:refresh_members_authorized_projects)
   end
+
+  def full_path_changed?
+    path_changed? || parent_id_changed?
+  end
 end

app/models/project.rb

@@ -14,6 +14,7 @@ class Project < ActiveRecord::Base
   include TokenAuthenticatable
   include ProjectFeaturesCompatibility
   include SelectForProjectAuthorization
+  include Routable
 
   extend Gitlab::ConfigHelper
 
@@ -324,87 +325,6 @@ class Project < ActiveRecord::Base
       non_archived.where(table[:name].matches(pattern))
     end
 
-    # Finds a single project for the given path.
-    #
-    # path - The full project path (including namespace path).
-    #
-    # Returns a Project, or nil if no project could be found.
-    def find_with_namespace(path)
-      namespace_path, project_path = path.split('/', 2)
-
-      return unless namespace_path && project_path
-
-      namespace_path = connection.quote(namespace_path)
-      project_path = connection.quote(project_path)
-
-      # On MySQL we want to ensure the ORDER BY uses a case-sensitive match so
-      # any literal matches come first, for this we have to use "BINARY".
-      # Without this there's still no guarantee in what order MySQL will return
-      # rows.
-      binary = Gitlab::Database.mysql? ? 'BINARY' : ''
-
-      order_sql = "(CASE WHEN #{binary} namespaces.path = #{namespace_path} " \
-        "AND #{binary} projects.path = #{project_path} THEN 0 ELSE 1 END)"
-
-      where_paths_in([path]).reorder(order_sql).take
-    end
-
-    # Builds a relation to find multiple projects by their full paths.
-    #
-    # Each path must be in the following format:
-    #
-    #     namespace_path/project_path
-    #
-    # For example:
-    #
-    #     gitlab-org/gitlab-ce
-    #
-    # Usage:
-    #
-    #     Project.where_paths_in(%w{gitlab-org/gitlab-ce gitlab-org/gitlab-ee})
-    #
-    # This would return the projects with the full paths matching the values
-    # given.
-    #
-    # paths - An Array of full paths (namespace path + project path) for which
-    #         to find the projects.
-    #
-    # Returns an ActiveRecord::Relation.
-    def where_paths_in(paths)
-      wheres = []
-      cast_lower = Gitlab::Database.postgresql?
-
-      paths.each do |path|
-        namespace_path, project_path = path.split('/', 2)
-
-        next unless namespace_path && project_path
-
-        namespace_path = connection.quote(namespace_path)
-        project_path = connection.quote(project_path)
-
-        where = "(namespaces.path = #{namespace_path}
-          AND projects.path = #{project_path})"
-
-        if cast_lower
-          where = "(
-            #{where}
-            OR (
-              LOWER(namespaces.path) = LOWER(#{namespace_path})
-              AND LOWER(projects.path) = LOWER(#{project_path})
-            )
-          )"
-        end
-
-        wheres << where
-      end
-
-      if wheres.empty?
-        none
-      else
-        joins(:namespace).where(wheres.join(' OR '))
-      end
-    end
-
     def visibility_levels
       Gitlab::VisibilityLevel.options
     end
@@ -440,6 +360,10 @@ class Project < ActiveRecord::Base
     def group_ids
       joins(:namespace).where(namespaces: { type: 'Group' }).select(:namespace_id)
     end
+
+    # Add alias for Routable method for compatibility with old code.
+    # In future all calls `find_with_namespace` should be replaced with `find_by_full_path`
+    alias_method :find_with_namespace, :find_by_full_path
   end
 
   def lfs_enabled?
@@ -879,13 +803,14 @@ class Project < ActiveRecord::Base
   end
   alias_method :human_name, :name_with_namespace
 
-  def path_with_namespace
-    if namespace
-      namespace.path + '/' + path
+  def full_path
+    if namespace && path
+      namespace.full_path + '/' + path
     else
       path
     end
   end
+  alias_method :path_with_namespace, :full_path
 
   def execute_hooks(data, hooks_scope = :push_hooks)
     hooks.send(hooks_scope).each do |hook|
@@ -1373,4 +1298,8 @@ class Project < ActiveRecord::Base
   def validate_board_limit(board)
     raise BoardLimitExceeded, 'Number of permitted boards exceeded' if boards.size >= NUMBER_OF_PERMITTED_BOARDS
   end
+
+  def full_path_changed?
+    path_changed? || namespace_id_changed?
+  end
 end

app/models/repository.rb

@@ -950,7 +950,7 @@ class Repository
     update_branch_with_hooks(user, base_branch) do
       committer = user_to_committer(user)
       source_sha = Rugged::Commit.create(rugged,
-        message: commit.revert_message,
+        message: commit.revert_message(user),
         author: committer,
         committer: committer,
         tree: revert_tree_id,

app/models/route.rb

+class Route < ActiveRecord::Base
+  belongs_to :source, polymorphic: true
+
+  validates :source, presence: true
+
+  validates :path,
+    length: { within: 1..255 },
+    presence: true,
+    uniqueness: { case_sensitive: false }
+
+  after_update :rename_children, if: :path_changed?
+
+  def rename_children
+    # We update each row separately because MySQL does not have regexp_replace.
+    # rubocop:disable Rails/FindEach
+    Route.where('path LIKE ?', "#{path_was}%").each do |route|
+      # Note that update column skips validation and callbacks.
+      # We need this to avoid recursive call of rename_children method
+      route.update_column(:path, route.path.sub(path_was, path))
+    end
+  end
+end

app/services/commits/change_service.rb

@@ -34,7 +34,7 @@ module Commits
         repository.public_send(action, current_user, @commit, into, tree_id)
         success
       else
-        error_msg = "Sorry, we cannot #{action.to_s.dasherize} this #{@commit.change_type_title} automatically.
+        error_msg = "Sorry, we cannot #{action.to_s.dasherize} this #{@commit.change_type_title(current_user)} automatically.
                      It may have already been #{action.to_s.dasherize}, or a more recent commit may have updated some of its content."
         raise ChangeError, error_msg
       end

app/services/destroy_group_service.rb

@@ -20,6 +20,10 @@ class DestroyGroupService
       ::Projects::DestroyService.new(project, current_user, skip_repo: true).execute
     end
 
+    group.children.each do |group|
+      DestroyGroupService.new(group, current_user).async_execute
+    end
+
     group.really_destroy!
   end
 end

app/views/devise/sessions/new.html.haml

 - page_title "Sign in"
+
 %div
   - if form_based_providers.any?
     = render 'devise/shared/tabs_ldap'

app/views/layouts/nav/_project.html.haml

@@ -77,7 +77,7 @@
         = link_to namespace_project_merge_requests_path(@project.namespace, @project), title: 'Merge Requests', class: 'shortcuts-merge_requests' do
           %span
             Merge Requests
-            %span.badge.count.merge_counter= number_with_delimiter(@project.merge_requests.opened.count)
+            %span.badge.count.merge_counter= number_with_delimiter(MergeRequestsFinder.new(current_user, project_id: @project.id).execute.opened.count)
 
     - if project_nav_tab? :wiki
       = nav_link(controller: :wikis) do

app/views/projects/_merge_request_merge_settings.html.haml

+- form = local_assigns.fetch(:form)
+
+.form-group
+  .checkbox.builds-feature
+    = form.label :only_allow_merge_if_build_succeeds do
+      = form.check_box :only_allow_merge_if_build_succeeds
+      %strong Only allow merge requests to be merged if the build succeeds
+      %br
+      %span.descr
+        Builds need to be configured to enable this feature.
+        = link_to icon('question-circle'), help_page_path('user/project/merge_requests/merge_when_build_succeeds', anchor: 'only-allow-merge-requests-to-be-merged-if-the-build-succeeds')
+  .checkbox
+    = form.label :only_allow_merge_if_all_discussions_are_resolved do
+      = form.check_box :only_allow_merge_if_all_discussions_are_resolved
+      %strong Only allow merge requests to be merged if all discussions are resolved

app/views/projects/_merge_request_settings.html.haml

-.merge-requests-feature
-  %fieldset.builds-feature
-    %hr
-    %h5.prepend-top-0
-      Merge Requests
-    .form-group
-      .checkbox
-        = f.label :only_allow_merge_if_build_succeeds do
-          = f.check_box :only_allow_merge_if_build_succeeds
-          %strong Only allow merge requests to be merged if the build succeeds
-          %br
-          %span.descr
-            Builds need to be configured to enable this feature.
-            = link_to icon('question-circle'), help_page_path('user/project/merge_requests/merge_when_build_succeeds', anchor: 'only-allow-merge-requests-to-be-merged-if-the-build-succeeds')
-      .checkbox
-        = f.label :only_allow_merge_if_all_discussions_are_resolved do
-          = f.check_box :only_allow_merge_if_all_discussions_are_resolved
-          %strong Only allow merge requests to be merged if all discussions are resolved
+- form = local_assigns.fetch(:form)
+
+%fieldset.features.merge-requests-feature.append-bottom-default
+  %hr
+  %h5.prepend-top-0
+    Merge Requests
+
+  = render 'projects/merge_request_merge_settings', form: form

app/views/projects/commit/_change.html.haml

@@ -11,7 +11,7 @@
     .modal-content
       .modal-header
         %a.close{href: "#", "data-dismiss" => "modal"} ×
-        %h3.page-title== #{label} this #{commit.change_type_title}
+        %h3.page-title== #{label} this #{commit.change_type_title(current_user)}
       .modal-body
         = form_tag send("#{type.underscore}_namespace_project_commit_path", @project.namespace, @project, commit.id), method: :post, remote: false, class: 'form-horizontal js-#{type}-form js-requires-input' do
           .form-group.branch

app/views/projects/edit.html.haml

@@ -112,7 +112,8 @@
                 %span.descr Enable Container Registry for this project
                 = link_to icon('question-circle'), help_page_path('user/project/container_registry'), target: '_blank'
 
-        = render 'merge_request_settings', f: f
+        = render 'merge_request_settings', form: f
+
         %hr
         %fieldset.features.append-bottom-default
           %h5.prepend-top-0

app/views/projects/forks/error.html.haml

@@ -13,7 +13,11 @@
     - if @forked_project && @forked_project.errors.any?
       %p
         –
-        = @forked_project.errors.full_messages.first
+        - error = @forked_project.errors.full_messages.first
+        - if error.include?("already been taken")
+          Name has already been taken
+        - else
+          = error
 
     %p
       = link_to new_namespace_project_fork_path(@project.namespace, @project), title: "Fork", class: "btn" do

app/views/projects/merge_requests/_show.html.haml

@@ -31,7 +31,7 @@
         %span.label-branch= source_branch_with_namespace(@merge_request)
         %span into
         %span.label-branch
-          = link_to @merge_request.target_branch, namespace_project_commits_path(@project.namespace, @project, @merge_request.target_branch)
+          = link_to_if @merge_request.target_branch_exists?, @merge_request.target_branch, namespace_project_commits_path(@project.namespace, @project, @merge_request.target_branch)
         - if @merge_request.open? && @merge_request.diverged_from_target_branch?
           %span (#{pluralize(@merge_request.diverged_commits_count, 'commit')} behind)
 

app/views/projects/stage/_graph.html.haml

@@ -4,8 +4,7 @@
 %li.stage-column
   .stage-name
     %a{ name: stage.name }
-    - if stage.name
-      = stage.name.titleize
+    = stage.name.titleize
   .builds-container
     %ul
       - status_groups.each do |group_name, grouped_statuses|

app/views/projects/stage/_stage.html.haml

@@ -4,9 +4,8 @@
       %a{ name: stage.name }
       %span{class: "ci-status-link ci-status-icon-#{stage.status}"}
         = ci_icon_for_status(stage.status)
-      - if stage.name
-         
-        = stage.name.titleize
+       
+      = stage.name.titleize
 = render stage.statuses.latest_ordered, coverage: @project.build_coverage_enabled?, stage: false, ref: false, pipeline_link: false, allow_retry: true
 = render stage.statuses.retried_ordered, coverage: @project.build_coverage_enabled?, stage: false, ref: false, pipeline_link: false, retried: true
 %tr

app/views/shared/_event_filter.html.haml

@@ -4,6 +4,8 @@
     = event_filter_link EventFilter.push, 'Push events'
   - if event_filter_visible(:merge_requests)
     = event_filter_link EventFilter.merged, 'Merge events'
+  - if event_filter_visible(:issues)
+    = event_filter_link EventFilter.issue, 'Issue events'
   - if event_filter_visible(:issues)
     = event_filter_link EventFilter.comments, 'Comments'
   = event_filter_link EventFilter.team, 'Team'

app/views/shared/members/_member.html.haml

@@ -20,8 +20,8 @@
           %strong Blocked
 
       - if source.instance_of?(Group) && !@group
-        = link_to source, class: "member-group-link prepend-left-5" do
-          = "· #{source.name}"
+        ·
+        = link_to source.name, source, class: "member-group-link"
 
       .hidden-xs.cgray
         - if member.request?
@@ -45,7 +45,7 @@
         = time_ago_with_tooltip(member.created_at)
   - if show_roles
     .controls.member-controls
-      - if show_controls
+      - if show_controls && (member.respond_to?(:group) && @group) || (member.respond_to?(:project) && @project)
         - if user != current_user
           = form_for member, remote: true, html: { class: 'form-horizontal js-edit-member-form' } do |f|
             = f.select :access_level, options_for_select(member.class.access_level_roles, member.access_level), {}, class: 'form-control member-form-control append-right-5 js-member-update-control', id: "member_access_level_#{member.id}", disabled: !can_admin_member

changelogs/unreleased/15081-wrong-login-tab-ldap-frontend.yml

+---
+title: Fix wrong tab selected when loggin fails and multiple login tabs exists
+merge_request: 7314
+author: Jacopo Beschi @jacopo-beschi 

changelogs/unreleased/23696-fix-diff-view-highlighting.yml

----
-title: Fix diff view permalink highlighting
-merge_request: 7090
-author:

changelogs/unreleased/24507_remove_deleted_branch_link_in_merge_request.yml

+---
+title: 'Remove unnecessary target branch link from MR page in case of deleted target branch'
+merge_request: 7916
+author: Rydkin Maxim

changelogs/unreleased/24814-pipeline-tabs.yml

----
-title: Fix Cicking on tabs on pipeline page should set URL
-merge_request: 7709
-author:

changelogs/unreleased/24982-ux-improvement-sign-in-success-message.yml

+---
+title: 'fix: 24982- Remove''Signed in successfully'' message After this change the
+  sign-in-success flash message will not be shown'
+merge_request: 7837
+author: jnoortheen

changelogs/unreleased/25171-fix-mr-features-settings-hidden-when-builds-are-disabled.yml

+---
+title: Remove wrong '.builds-feature' class from the MR settings fieldset
+merge_request: 7930
+author: 

changelogs/unreleased/destroy-session.yml

+---
+title: Destroy a user's session when they delete their own account
+merge_request: 
+author: 

changelogs/unreleased/remove-has-visible-content-caching.yml → changelogs/unreleased/dz-nested-groups.yml

 ---
-title: Remove visible content caching
+title: Add nested groups support on data level
 merge_request: 
 author: 

changelogs/unreleased/enable-asciidoctor-admonition-icons.yml

+---
+title: Enable AsciiDoctor admonition icons
+merge_request: 7812
+author: Horacio Sanson

changelogs/unreleased/fix-compatibility-with-ie11-for-merge-requests.yml

----
-title: Fix compatibility with Internet Explorer 11 for merge requests
-merge_request: 7525
-author: Steffen Rauh

changelogs/unreleased/fix-slack-pipeline-event.yml

----
-title: Fix pipeline author for Slack and use pipeline id for pipeline link
-merge_request: 7506
-author:

changelogs/unreleased/fix-authorize-users-into-imported-gitlab-project.yml → changelogs/unreleased/group-members-in-project-members-view.yml

 ---
-title: Authorize users into imported GitLab project
+title: Shows group members in project members list
 merge_request: 
 author: 

changelogs/unreleased/html-safe-diff-line-content.yml

+---
+title: Don't accidentally mark unsafe diff lines as HTML safe
+merge_request: 
+author: 

changelogs/unreleased/issue-events-filter.yml

+---
+title: Add issue events filter and make all really show all events
+merge_request: 7673
+author:  Oxan van Leeuwen

changelogs/unreleased/jej-23867-use-mr-finder-instead-of-access-check.yml

+---
+title: Replace MR access checks with use of MergeRequestsFinder
+merge_request: 
+author: 

changelogs/unreleased/public-tags-api.yml

+---
+title: Allow public access to some Tag API endpoints
+merge_request: 
+author: 

changelogs/unreleased/small-emoji-adjustments.yml

+---
+title: Various small emoji positioning adjustments
+merge_request:
+author: 

changelogs/unreleased/timeago-perf-fix.yml

+---
+title: Fixed timeago re-rendering every timeago
+merge_request: 
+author: 

config/application.rb

@@ -45,7 +45,7 @@ module Gitlab
     #
     # Parameters filtered:
     # - Password (:password, :password_confirmation)
-    # - Private tokens (:private_token)
+    # - Private tokens (:private_token, :authentication_token)
     # - Two-factor tokens (:otp_attempt)
     # - Repo/Project Import URLs (:import_url)
     # - Build variables (:variables)
@@ -55,6 +55,7 @@ module Gitlab
     # - Sentry DSN (:sentry_dsn)
     # - Deploy keys (:key)
     config.filter_parameters += %i(
+      authentication_token
       certificate
       encrypted_key
       hook

config/initializers/sentry.rb

@@ -15,7 +15,7 @@ if Rails.env.production?
     Raven.configure do |config|
       config.dsn = current_application_settings.sentry_dsn
       config.release = Gitlab::REVISION
-      
+
       # Sanitize fields based on those sanitized from Rails.
       config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
       # Sanitize authentication headers

db/migrate/20161124111390_add_parent_id_to_namespace.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddParentIdToNamespace < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column(:namespaces, :parent_id, :integer)
+  end
+end

db/migrate/20161124111395_add_index_to_parent_id.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddIndexToParentId < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def change
+    add_concurrent_index(:namespaces, [:parent_id, :id], unique: true)
+  end
+end

db/migrate/20161124111402_add_routes_table.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddRoutesTable < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    create_table :routes do |t|
+      t.integer :source_id,    null: false
+      t.string  :source_type,  null: false
+      t.string  :path,         null: false
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20161130095245_fill_routes_table.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class FillRoutesTable < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = true
+  DOWNTIME_REASON = 'No new namespaces should be created during data copy'
+
+  def up
+    execute <<-EOF
+      INSERT INTO routes
+      (source_id, source_type, path)
+      (SELECT id, 'Namespace', path FROM namespaces)
+    EOF
+  end
+
+  def down
+    Route.delete_all(source_type: 'Namespace')
+  end
+end

db/migrate/20161130101252_fill_projects_routes_table.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class FillProjectsRoutesTable < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = true
+  DOWNTIME_REASON = 'No new projects should be created during data copy'
+
+  def up
+    execute <<-EOF
+      INSERT INTO routes
+      (source_id, source_type, path)
+      (SELECT projects.id, 'Project', concat(namespaces.path, '/', projects.path) FROM projects
+      INNER JOIN namespaces ON projects.namespace_id = namespaces.id)
+    EOF
+  end
+
+  def down
+    Route.delete_all(source_type: 'Project')
+  end
+end

db/migrate/20161202152031_remove_duplicates_from_routes.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class RemoveDuplicatesFromRoutes < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def up
+    select_all("SELECT path FROM #{quote_table_name(:routes)} GROUP BY path HAVING COUNT(*) > 1").each do |row|
+      path = connection.quote(row['path'])
+      execute(%Q{
+        DELETE FROM #{quote_table_name(:routes)}
+        WHERE path = #{path}
+        AND id != (
+          SELECT id FROM (
+            SELECT max(id) AS id
+            FROM #{quote_table_name(:routes)}
+            WHERE path = #{path}
+          ) max_ids
+        )
+      })
+    end
+  end
+
+  def down
+  end
+end

db/migrate/20161202152035_add_index_to_routes.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddIndexToRoutes < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def change
+    add_concurrent_index(:routes, :path, unique: true)
+    add_concurrent_index(:routes, [:source_type, :source_id], unique: true)
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20161128161412) do
+ActiveRecord::Schema.define(version: 20161202152035) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -98,14 +98,14 @@ ActiveRecord::Schema.define(version: 20161128161412) do
     t.text "help_page_text_html"
     t.text "shared_runners_text_html"
     t.text "after_sign_up_text_html"
-    t.boolean "sidekiq_throttling_enabled", default: false
-    t.string "sidekiq_throttling_queues"
-    t.decimal "sidekiq_throttling_factor"
     t.boolean "housekeeping_enabled", default: true, null: false
     t.boolean "housekeeping_bitmaps_enabled", default: true, null: false
     t.integer "housekeeping_incremental_repack_period", default: 10, null: false
     t.integer "housekeeping_full_repack_period", default: 50, null: false
     t.integer "housekeeping_gc_period", default: 200, null: false
+    t.boolean "sidekiq_throttling_enabled", default: false
+    t.string "sidekiq_throttling_queues"
+    t.decimal "sidekiq_throttling_factor"
     t.boolean "html_emails_enabled", default: true
   end
 
@@ -737,8 +737,9 @@ ActiveRecord::Schema.define(version: 20161128161412) do
     t.integer "visibility_level", default: 20, null: false
     t.boolean "request_access_enabled", default: false, null: false
     t.datetime "deleted_at"
-    t.boolean "lfs_enabled"
     t.text "description_html"
+    t.boolean "lfs_enabled"
+    t.integer "parent_id"
   end
 
   add_index "namespaces", ["created_at"], name: "index_namespaces_on_created_at", using: :btree
@@ -746,6 +747,7 @@ ActiveRecord::Schema.define(version: 20161128161412) do
   add_index "namespaces", ["name"], name: "index_namespaces_on_name", unique: true, using: :btree
   add_index "namespaces", ["name"], name: "index_namespaces_on_name_trigram", using: :gin, opclasses: {"name"=>"gin_trgm_ops"}
   add_index "namespaces", ["owner_id"], name: "index_namespaces_on_owner_id", using: :btree
+  add_index "namespaces", ["parent_id", "id"], name: "index_namespaces_on_parent_id_and_id", unique: true, using: :btree
   add_index "namespaces", ["path"], name: "index_namespaces_on_path", unique: true, using: :btree
   add_index "namespaces", ["path"], name: "index_namespaces_on_path_trigram", using: :gin, opclasses: {"path"=>"gin_trgm_ops"}
   add_index "namespaces", ["type"], name: "index_namespaces_on_type", using: :btree
@@ -991,6 +993,17 @@ ActiveRecord::Schema.define(version: 20161128161412) do
   add_index "releases", ["project_id", "tag"], name: "index_releases_on_project_id_and_tag", using: :btree
   add_index "releases", ["project_id"], name: "index_releases_on_project_id", using: :btree
 
+  create_table "routes", force: :cascade do |t|
+    t.integer "source_id", null: false
+    t.string "source_type", null: false
+    t.string "path", null: false
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "routes", ["path"], name: "index_routes_on_path", unique: true, using: :btree
+  add_index "routes", ["source_type", "source_id"], name: "index_routes_on_source_type_and_source_id", unique: true, using: :btree
+
   create_table "sent_notifications", force: :cascade do |t|
     t.integer "project_id"
     t.integer "noteable_id"
@@ -1206,8 +1219,8 @@ ActiveRecord::Schema.define(version: 20161128161412) do
     t.datetime "otp_grace_period_started_at"
     t.boolean "ldap_email", default: false, null: false
     t.boolean "external", default: false
-    t.string "organization"
     t.string "incoming_email_token"
+    t.string "organization"
     t.boolean "authorized_projects_populated"
   end
 

doc/administration/high_availability/database.md

@@ -41,7 +41,7 @@ If you use a cloud-managed service, or provide your own PostgreSQL:
     mailroom['enable'] = false
 
     # PostgreSQL configuration
-    postgresql['sql_password'] = 'DB password'
+    gitlab_rails['db_password'] = 'DB password'
     postgresql['md5_auth_cidr_addresses'] = ['0.0.0.0/0']
     postgresql['listen_address'] = '0.0.0.0'
     ```
@@ -80,7 +80,7 @@ If you use a cloud-managed service, or provide your own PostgreSQL:
 
 1. Similarly, set the password for the `gitlab` database user. Use the same
    password that you specified in the `/etc/gitlab/gitlab.rb` file for
-   `postgresql['sql_password']`.
+   `gitlab_rails['db_password']`.
 
     ```
     \password gitlab

doc/api/tags.md

@@ -2,7 +2,9 @@
 
 ## List project repository tags
 
-Get a list of repository tags from a project, sorted by name in reverse alphabetical order.
+Get a list of repository tags from a project, sorted by name in reverse
+alphabetical order. This endpoint can be accessed without authentication if the
+repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/tags
@@ -40,7 +42,8 @@ Parameters:
 
 ## Get a single repository tag
 
-Get a specific repository tag determined by its name.
+Get a specific repository tag determined by its name. This endpoint can be
+accessed without authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/tags/:tag_name

doc/api/users.md

@@ -291,7 +291,9 @@ Parameters:
 
 - `id` (required) - The ID of the user
 
-## Current user
+## User
+
+### For normal users
 
 Gets currently authenticated user.
 
@@ -335,6 +337,53 @@ GET /user
 }
 ```
 
+### For admins
+
+Parameters:
+
+- `sudo` (required) - the ID of a user
+
+```
+GET /user
+```
+
+```json
+{
+  "id": 1,
+  "username": "john_smith",
+  "email": "john@example.com",
+  "name": "John Smith",
+  "state": "active",
+  "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
+  "web_url": "http://localhost:3000/john_smith",
+  "created_at": "2012-05-23T08:00:58Z",
+  "is_admin": false,
+  "bio": null,
+  "location": null,
+  "skype": "",
+  "linkedin": "",
+  "twitter": "",
+  "website_url": "",
+  "organization": "",
+  "last_sign_in_at": "2012-06-01T11:41:01Z",
+  "confirmed_at": "2012-05-23T09:05:22Z",
+  "theme_id": 1,
+  "color_scheme_id": 2,
+  "projects_limit": 100,
+  "current_sign_in_at": "2012-06-02T06:36:55Z",
+  "identities": [
+    {"provider": "github", "extern_uid": "2435223452345"},
+    {"provider": "bitbucket", "extern_uid": "john_smith"},
+    {"provider": "google_oauth2", "extern_uid": "8776128412476123468721346"}
+  ],
+  "can_create_group": true,
+  "can_create_project": true,
+  "two_factor_enabled": true,
+  "external": false,
+  "private_token": "dd34asd13as"
+}
+```
+
 ## List SSH keys
 
 Get a list of currently authenticated user's SSH keys.

doc/update/8.14-to-8.15.md

@@ -113,7 +113,7 @@ sudo -u git -H bundle exec rake assets:clean assets:precompile cache:clear RAILS
 There are new configuration options available for [`gitlab.yml`](config/gitlab.yml.example). View them with the command below and apply them manually to your current `gitlab.yml`:
 
 ```sh
-git diff origin/8-13-stable:config/gitlab.yml.example origin/8-15-stable:config/gitlab.yml.example
+git diff origin/8-14-stable:config/gitlab.yml.example origin/8-15-stable:config/gitlab.yml.example
 ```
 
 #### Git configuration
@@ -131,10 +131,10 @@ Ensure you're still up-to-date with the latest NGINX configuration changes:
 
 ```sh
 # For HTTPS configurations
-git diff origin/8-13-stable:lib/support/nginx/gitlab-ssl origin/8-15-stable:lib/support/nginx/gitlab-ssl
+git diff origin/8-14-stable:lib/support/nginx/gitlab-ssl origin/8-15-stable:lib/support/nginx/gitlab-ssl
 
 # For HTTP configurations
-git diff origin/8-13-stable:lib/support/nginx/gitlab origin/8-15-stable:lib/support/nginx/gitlab
+git diff origin/8-14-stable:lib/support/nginx/gitlab origin/8-15-stable:lib/support/nginx/gitlab
 ```
 
 If you are using Apache instead of NGINX please see the updated [Apache templates].

lib/api/entities.rb

@@ -22,7 +22,7 @@ module API
       expose :provider, :extern_uid
     end
 
-    class UserFull < User
+    class UserPublic < User
       expose :last_sign_in_at
       expose :confirmed_at
       expose :email
@@ -34,7 +34,7 @@ module API
       expose :external
     end
 
-    class UserLogin < UserFull
+    class UserWithPrivateToken < UserPublic
       expose :private_token
     end
 
@@ -289,7 +289,7 @@ module API
     end
 
     class SSHKeyWithUser < SSHKey
-      expose :user, using: Entities::UserFull
+      expose :user, using: Entities::UserPublic
     end
 
     class Note < Grape::Entity

lib/api/helpers.rb

@@ -44,11 +44,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -108,7 +111,7 @@ module API
       if id =~ /^\d+$/
         Group.find_by(id: id)
       else
-        Group.find_by(path: id)
+        Group.find_by_full_path(id)
       end
     end
 
@@ -383,6 +386,10 @@ module API
       links.join(', ')
     end
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end

lib/api/session.rb

 module API
   class Session < Grape::API
     desc 'Login to get token' do
-      success Entities::UserLogin
+      success Entities::UserWithPrivateToken
     end
     params do
       optional :login, type: String, desc: 'The username'
@@ -14,7 +14,7 @@ module API
 
       return unauthorized! unless user
       return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
-      present user, with: Entities::UserLogin
+      present user, with: Entities::UserWithPrivateToken
     end
   end
 end

lib/api/tags.rb

 module API
   # Git Tags API
   class Tags < Grape::API
-    before { authenticate! }
     before { authorize! :download_code, user_project }
 
     params do

lib/api/users.rb

@@ -51,7 +51,7 @@ module API
           users = users.external if params[:external] && current_user.is_admin?
         end
 
-        entity = current_user.is_admin? ? Entities::UserFull : Entities::UserBasic
+        entity = current_user.is_admin? ? Entities::UserPublic : Entities::UserBasic
         present paginate(users), with: entity
       end
 
@@ -66,7 +66,7 @@ module API
         not_found!('User') unless user
 
         if current_user && current_user.is_admin?
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         elsif can?(current_user, :read_user, user)
           present user, with: Entities::User
         else
@@ -75,7 +75,7 @@ module API
       end
 
       desc 'Create a user. Available only for admins.' do
-        success Entities::UserFull
+        success Entities::UserPublic
       end
       params do
         requires :email, type: String, desc: 'The email of the user'
@@ -99,7 +99,7 @@ module API
         end
 
         if user.save
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         else
           conflict!('Email has already been taken') if User.
               where(email: user.email).
@@ -114,7 +114,7 @@ module API
       end
 
       desc 'Update a user. Available only for admins.' do
-        success Entities::UserFull
+        success Entities::UserPublic
       end
       params do
         requires :id, type: Integer, desc: 'The ID of the user'
@@ -161,7 +161,7 @@ module API
         user_params.delete(:provider)
 
         if user.update_attributes(user_params)
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         else
           render_validation_error!(user)
         end
@@ -350,10 +350,10 @@ module API
 
     resource :user do
       desc 'Get the currently authenticated user' do
-        success Entities::UserFull
+        success Entities::UserPublic
       end
       get do
-        present current_user, with: Entities::UserFull
+        present current_user, with: @impersonator ? Entities::UserWithPrivateToken : Entities::UserPublic
       end
 
       desc "Get the currently authenticated user's SSH keys" do

lib/constraints/group_url_constrainer.rb

@@ -4,7 +4,7 @@ class GroupUrlConstrainer
 
     return false unless valid?(id)
 
-    Group.find_by(path: id).present?
+    Group.find_by_full_path(id).present?
   end
 
   private

lib/event_filter.rb

@@ -14,6 +14,10 @@ class EventFilter
       'merged'
     end
 
+    def issue
+      'issue'
+    end
+
     def comments
       'comments'
     end
@@ -32,32 +36,20 @@ class EventFilter
   end
 
   def apply_filter(events)
-    return events unless params.present?
-
-    filter = params.dup
-    actions = []
+    return events if params.blank? || params == EventFilter.all
 
-    case filter
+    case params
     when EventFilter.push
-      actions = [Event::PUSHED]
+      events.where(action: Event::PUSHED)
     when EventFilter.merged
-      actions = [Event::MERGED]
+      events.where(action: Event::MERGED)
     when EventFilter.comments
-      actions = [Event::COMMENTED]
+      events.where(action: Event::COMMENTED)
     when EventFilter.team
-      actions = [Event::JOINED, Event::LEFT, Event::EXPIRED]
-    when EventFilter.all
-      actions = [
-        Event::PUSHED,
-        Event::MERGED,
-        Event::COMMENTED,
-        Event::JOINED,
-        Event::LEFT,
-        Event::EXPIRED
-      ]
+      events.where(action: [Event::JOINED, Event::LEFT, Event::EXPIRED])
+    when EventFilter.issue
+      events.where(action: [Event::CREATED, Event::UPDATED, Event::CLOSED, Event::REOPENED])
     end
-
-    events.where(action: actions)
   end
 
   def options(key)
@@ -73,6 +65,10 @@ class EventFilter
   end
 
   def active?(key)
-    params.include? key
+    if params.present?
+      params.include? key
+    else
+      key == EventFilter.all
+    end
   end
 end

lib/gitlab/asciidoc.rb

@@ -6,7 +6,7 @@ module Gitlab
   module Asciidoc
     DEFAULT_ADOC_ATTRS = [
       'showtitle', 'idprefix=user-content-', 'idseparator=-', 'env=gitlab',
-      'env-gitlab', 'source-highlighter=html-pipeline'
+      'env-gitlab', 'source-highlighter=html-pipeline', 'icons=font'
     ].freeze
 
     # Public: Converts the provided Asciidoc markup into HTML.

lib/gitlab/search_results.rb

@@ -68,7 +68,7 @@ module Gitlab
     end
 
     def merge_requests
-      merge_requests = MergeRequest.in_projects(project_ids_relation)
+      merge_requests = MergeRequestsFinder.new(current_user).execute.in_projects(project_ids_relation)
       if query =~ /[#!](\d+)\z/
         merge_requests = merge_requests.where(iid: $1)
       else

spec/controllers/projects/todo_controller_spec.rb

@@ -110,7 +110,7 @@ describe Projects::TodosController do
         end
       end
 
-      context 'when not authorized' do
+      context 'when not authorized for project' do
         it 'does not create todo for merge request user has no access to' do
           sign_in(user)
           expect do
@@ -128,6 +128,19 @@ describe Projects::TodosController do
           expect(response).to have_http_status(302)
         end
       end
+
+      context 'when not authorized for merge_request' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+          project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+          sign_in(user)
+        end
+
+        it "doesn't create todo" do
+          expect{ go }.not_to change { user.todos.count }
+          expect(response).to have_http_status(404)
+        end
+      end
     end
   end
 end

spec/controllers/sessions_controller_spec.rb

@@ -22,7 +22,6 @@ describe SessionsController do
         it 'authenticates user correctly' do
           post(:create, user: { login: user.username, password: user.password })
 
-          expect(response).to set_flash.to /Signed in successfully/
           expect(subject.current_user). to eq user
         end
 

spec/features/merge_requests/target_branch_spec.rb

+require 'spec_helper'
+
+describe 'Target branch', feature: true do
+  let(:user) { create(:user) }
+  let(:merge_request) { create(:merge_request) }
+  let(:project) { merge_request.project }
+
+  def path_to_merge_request
+    namespace_project_merge_request_path(
+      project.namespace,
+      project, merge_request
+    )
+  end
+
+  before do
+    login_as user
+    project.team << [user, :master]
+  end
+
+  it 'shows link to target branch' do
+    visit path_to_merge_request
+    expect(page).to have_link('feature', href: namespace_project_commits_path(project.namespace, project, merge_request.target_branch))
+  end
+
+  context 'when branch was deleted' do
+    before do
+      DeleteBranchService.new(project, user).execute('feature')
+      visit path_to_merge_request
+    end
+
+    it 'shows a message about missing target branch' do
+      expect(page).to have_content(
+        'Target branch feature does not exist'
+      )
+    end
+
+    it 'does not show link to target branch' do
+      expect(page).not_to have_link('feature')
+    end
+  end
+end

spec/features/projects/members/group_members_spec.rb

+require 'spec_helper'
+
+feature 'Projects members', feature: true do
+  let(:user) { create(:user) }
+  let(:developer) { create(:user) }
+  let(:group) { create(:group, :public, :access_requestable) }
+  let(:project) { create(:empty_project, :public, :access_requestable, creator: user, group: group) }
+  let(:project_invitee) { create(:project_member, project: project, invite_token: '123', invite_email: 'test1@abc.com', user: nil) }
+  let(:group_invitee) { create(:group_member, group: group, invite_token: '123', invite_email: 'test2@abc.com', user: nil) }
+  let(:project_requester) { create(:user) }
+  let(:group_requester) { create(:user) }
+
+  background do
+    project.team << [developer, :developer]
+    group.add_owner(user)
+    login_as(user)
+  end
+
+  context 'with a group invitee' do
+    before do
+      group_invitee
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+
+    scenario 'does not appear in the project members page' do
+      page.within first('.content-list') do
+        expect(page).not_to have_content('test2@abc.com')
+      end
+    end
+  end
+
+  context 'with a group and a project invitee' do
+    before do
+      group_invitee
+      project_invitee
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+
+    scenario 'shows the project invitee, the project developer, and the group owner' do
+      page.within first('.content-list') do
+        expect(page).to have_content('test1@abc.com')
+        expect(page).not_to have_content('test2@abc.com')
+
+        # Project developer
+        expect(page).to have_content(developer.name)
+
+        # Group owner
+        expect(page).to have_content(user.name)
+        expect(page).to have_content(group.name)
+      end
+    end
+  end
+
+  context 'with a group requester' do
+    before do
+      group.request_access(group_requester)
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+
+    scenario 'does not appear in the project members page' do
+      page.within first('.content-list') do
+        expect(page).not_to have_content(group_requester.name)
+      end
+    end
+  end
+
+  context 'with a group and a project requesters' do
+    before do
+      group.request_access(group_requester)
+      project.request_access(project_requester)
+      visit namespace_project_project_members_path(project.namespace, project)
+    end
+
+    scenario 'shows the project requester, the project developer, and the group owner' do
+      page.within first('.content-list') do
+        expect(page).to have_content(project_requester.name)
+        expect(page).not_to have_content(group_requester.name)
+      end
+
+      page.within all('.content-list').last do
+        # Project developer
+        expect(page).to have_content(developer.name)
+
+        # Group owner
+        expect(page).to have_content(user.name)
+        expect(page).to have_content(group.name)
+      end
+    end
+  end
+end

spec/features/projects/settings/merge_requests_settings_spec.rb

+require 'spec_helper'
+
+feature 'Project settings > Merge Requests', feature: true, js: true do
+  include GitlabRoutingHelper
+
+  let(:project) { create(:empty_project, :public) }
+  let(:user) { create(:user) }
+
+  background do
+    project.team << [user, :master]
+    login_as(user)
+  end
+
+  context 'when Merge Request and Builds are initially enabled' do
+    before do
+      project.project_feature.update_attribute('merge_requests_access_level', ProjectFeature::ENABLED)
+    end
+
+    context 'when Builds are initially enabled' do
+      before do
+        project.project_feature.update_attribute('builds_access_level', ProjectFeature::ENABLED)
+        visit edit_project_path(project)
+      end
+
+      scenario 'shows the Merge Requests settings' do
+        expect(page).to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+
+        select 'Disabled', from: "project_project_feature_attributes_merge_requests_access_level"
+
+        expect(page).not_to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).not_to have_content('Only allow merge requests to be merged if all discussions are resolved')
+      end
+    end
+
+    context 'when Builds are initially disabled' do
+      before do
+        project.project_feature.update_attribute('builds_access_level', ProjectFeature::DISABLED)
+        visit edit_project_path(project)
+      end
+
+      scenario 'shows the Merge Requests settings that do not depend on Builds feature' do
+        expect(page).not_to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+
+        select 'Everyone with access', from: "project_project_feature_attributes_builds_access_level"
+
+        expect(page).to have_content('Only allow merge requests to be merged if the build succeeds')
+        expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+      end
+    end
+  end
+
+  context 'when Merge Request are initially disabled' do
+    before do
+      project.project_feature.update_attribute('merge_requests_access_level', ProjectFeature::DISABLED)
+      visit edit_project_path(project)
+    end
+
+    scenario 'does not show the Merge Requests settings' do
+      expect(page).not_to have_content('Only allow merge requests to be merged if the build succeeds')
+      expect(page).not_to have_content('Only allow merge requests to be merged if all discussions are resolved')
+
+      select 'Everyone with access', from: "project_project_feature_attributes_merge_requests_access_level"
+
+      expect(page).to have_content('Only allow merge requests to be merged if the build succeeds')
+      expect(page).to have_content('Only allow merge requests to be merged if all discussions are resolved')
+    end
+  end
+end

spec/features/u2f_spec.rb

@@ -163,8 +163,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
         click_on "Sign in via U2F device"
         expect(page.body).to match('We heard back from your U2F device')
         click_on "Authenticate via U2F Device"
-
-        expect(page.body).to match('Signed in successfully')
+        expect(page.body).to match('href="/users/sign_out"')
       end
     end
 
@@ -178,7 +177,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
         expect(page.body).to match('We heard back from your U2F device')
         click_on "Authenticate via U2F Device"
 
-        expect(page.body).to match('Signed in successfully')
+        expect(page.body).to match('href="/users/sign_out"')
       end
     end
 
@@ -234,7 +233,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
           expect(page.body).to match('We heard back from your U2F device')
           click_on "Authenticate via U2F Device"
 
-          expect(page.body).to match('Signed in successfully')
+          expect(page.body).to match('href="/users/sign_out"')
         end
       end
     end
@@ -275,7 +274,7 @@ feature 'Using U2F (Universal 2nd Factor) Devices for Authentication', feature:
           expect(page.body).to match('We heard back from your U2F device')
           click_on "Authenticate via U2F Device"
 
-          expect(page.body).to match('Signed in successfully')
+          expect(page.body).to match('href="/users/sign_out"')
 
           logout
         end

spec/fixtures/api/schemas/user/login.json

+{
+  "type": "object",
+  "required": [
+    "id",
+    "username",
+    "email",
+    "name",
+    "state",
+    "avatar_url",
+    "web_url",
+    "created_at",
+    "is_admin",
+    "bio",
+    "location",
+    "skype",
+    "linkedin",
+    "twitter",
+    "website_url",
+    "organization",
+    "last_sign_in_at",
+    "confirmed_at",
+    "theme_id",
+    "color_scheme_id",
+    "projects_limit",
+    "current_sign_in_at",
+    "identities",
+    "can_create_group",
+    "can_create_project",
+    "two_factor_enabled",
+    "external",
+    "private_token"
+  ],
+  "properties": {
+    "$ref": "full.json",
+    "private_token": { "type": "string" }
+  }
+}

spec/fixtures/api/schemas/user/public.json

+{
+  "type": "object",
+  "required": [
+    "id",
+    "username",
+    "email",
+    "name",
+    "state",
+    "avatar_url",
+    "web_url",
+    "created_at",
+    "is_admin",
+    "bio",
+    "location",
+    "skype",
+    "linkedin",
+    "twitter",
+    "website_url",
+    "organization",
+    "last_sign_in_at",
+    "confirmed_at",
+    "theme_id",
+    "color_scheme_id",
+    "projects_limit",
+    "current_sign_in_at",
+    "identities",
+    "can_create_group",
+    "can_create_project",
+    "two_factor_enabled",
+    "external"
+  ],
+  "properties": {
+    "id": { "type": "integer" },
+    "username": { "type": "string" },
+    "email": { 
+      "type": "string",
+      "pattern": "^[^@]+@[^@]+$"
+    },
+    "name": { "type": "string" },
+    "state": { 
+      "type": "string",
+      "enum": ["active", "blocked"] 
+    },
+    "avatar_url": { "type": "string" },
+    "web_url": { "type": "string" },
+    "created_at": { "type": "date" },
+    "is_admin": { "type": "boolean" },
+    "bio": { "type": ["string", "null"] },
+    "location": { "type": ["string", "null"] },
+    "skype": { "type": "string" },
+    "linkedin": { "type": "string" },
+    "twitter": { "type": "string "},
+    "website_url": { "type": "string" },
+    "organization": { "type": ["string", "null"] },
+    "last_sign_in_at": { "type": "date" },
+    "confirmed_at": { "type": ["date", "null"] },
+    "theme_id": { "type": "integer" },
+    "color_scheme_id": { "type": "integer" },
+    "projects_limit": { "type": "integer" },
+    "current_sign_in_at": { "type": "date" },
+    "identities": { 
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "provider": { 
+            "type": "string",
+            "enum": ["github", "bitbucket", "google_oauth2"] 
+          },
+          "extern_uid": { "type": ["number", "string"] }
+        }
+      }
+    },
+    "can_create_group": { "type": "boolean" },
+    "can_create_project": { "type": "boolean" },
+    "two_factor_enabled": { "type": "boolean" },
+    "external": { "type": "boolean" } 
+  }
+}